Hundreds of computers in Ukraine have been infected with data-wiping Windows malware, say researchers at ESET.
In a series of tweets on Wednesday, the infosec biz said it picked up its first sample of the software nasty at about 1500 UTC, and believes the code has been in the works for the past two months.
“ESET telemetry shows that it was installed on hundreds of machines in the country,” the biz stated.
We’re told the data wiper is cryptographically signed with a legit, and presumably stolen, developer certificate to persuade antivirus tools and users to trust it. The malware uses drivers from a partitioning program to corrupt storage devices and destroy files on infected systems, according to ESET.
It’s not entirely clear right now how the malware is dropped onto victims’ machines and run, though in one case, said ESET, an organization’s Active Directory server was probably compromised to distribute the wiper through the network via a group policy object.
ESET dubbed the nasty Win32/KillDisk.NCV. It’s understood the code not only wipes files from the drive, it also nukes the MBR, making booting and recovery difficult or impossible thereafter.
This comes as various Ukrainian websites were disrupted to varying degrees by denial-of-service attacks, and Britain’s National Cyber Security Centre warned of a new Kremlin-linked strain of malware that appears to